Feeds

Airline security critic raided by Feds

Don't even joke about it

3 Big data security analytics techniques

Indiana University graduate student Christopher Soghoian pointed out a flaw in airline security by posting a fake boarding pass generator online, and was rewarded with a visit from FBI agents with a search warrant.

The FBI raided his residence on Saturday, only days after the student posted a PHP script enabling anyone to print a boarding pass for Northwest Airlines.

It's unlikely that a fake pass would enable someone to board a flight they hadn't paid for, but it would suffice to get one into the "secure" area of an airport. Soghoian's example passes would fail at the gate when read electronically. Still, they would likely not be challenged until that point.

The trick involved is not new; indeed, it was publicised by Slate magazine in February 2005. Creating a script enabling any fool to generate a pass was Soghoian's contribution.

The Feds apparently considered this to be going a step further than providing information that's already available, and interpreted it as encouraging bad behaviour, even though Soghoian was clear about the fact that his example passes would not enable one to fly for free. They only demonstrated how easily people on the no-fly lists could find themselves wandering about an airport, if, for example, they were too lazy to get an ID and credit card issued under a different name.

Which brings us to the observation that, yes, airport security is crap, just as Soghoian's pass generator and the Slate article illustrate, and no, it really doesn't matter if people can print their own boarding passes, and even edit them.

In the five years since 9/11, the TSA has failed to catch a single terrorist, and it isn't because they're printing boarding passes. It's because the entire idea of setting up checkpoints at widely-publicised locations and waiting for terrorists to turn up and get caught is idiotic. Those who might be recognised visually aren't flying commercially.

The rest are simply declining to participate as well, or are travelling with authentic, government-issued passports and working credit cards obtained fraudulently - which is hardly more challenging than editing a boarding pass, but pays far better dividends, like actually being permitted to travel.

We note that US Representative Edward Markey (Democrat, Massachusetts) overreacted wildly to news of Soghoian's pass generator and called for his immediate arrest.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey exclaimed.

He later retracted that bit of political theatre: "Subsequently, I learned that the person responsible...intended to provide a public service by warning that this long-standing loophole could be easily exploited." Markey concluded that: "The Department of Homeland Security should put [Soghoian] to work showing public officials how easily our security can be compromised."

Markey is a member of the House Homeland Security Committee. With the midterm elections approaching, he's naturally eager to show the world that Democrats are just as security-savvy as Republicans claim to be. But he gets it wrong both times. He overstates the risk in the first place, and in the second place overestimates Soghoian's "contribution" to airline security in pointing out a minor flaw that's been known for years.

But so long as security remains a political football, this is the sort of rubbish we will have to listen to (The Register does commend Markey for not waiting until after the election to issue the retraction, as many others in his position would have done).

The homemade boarding pass is no big deal. The risk is minor, and it's mitigated somewhat by the fact that the passes issued by the airlines at check in, where ID is required, look different. This is by design, to give the TSA an opportunity to exercise a bit more care when screening passengers in possession of boarding passes obtained otherwise.

And yes, it would not be terribly difficult to make a facsimile of an airline-issued pass to escape extra scrutiny, but we have to point out that the real threat is undesirable travellers with false identities, proffering authentic travel documents. That's the right way to beat the system, and it's easy. No terrorist worth his salt is going to waste time Photoshopping boarding passes.

In the movies, the scoundrels always have a guy who does counterfeit passports. He's always eccentric, and strangely heliophobic for someone who does close work, but he's invariably a world-class artist. The counterfeits cost thousands of dollars and take several days.

In the real world, with a fake birth certificate, you can get a genuine passport in 24 hours for less than $200. Of course, movies wouldn't be as much fun if we kept that in mind. But when we're doing security, it's wise to remain clear on the differences between Hollywood and reality.

Meanwhile, we hope that Soghoian isn't destined to spend several years in prison for pointing out a security flaw that, ultimately, is irrelevant. ®

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.